Network connections may enable some computers to access other computers. While this functionality may increase accessibility, utility, and/or productivity among those computers, such network connections may expose and/or introduce those computers to certain vulnerabilities and/or security risks. For example, one computer may access another computer within an enterprise network using a protocol such as Secure SHell (SSH), Virtual Network Computing (VNC), and/or File Transfer Protocol (FTP). Such protocols may enable an attacker to perform and/or carry out password cracking, data harvesting, lateral movement, exfiltration, and/or other malicious actions in connection with those computers.
Unfortunately, some conventional security services may be unable to distinguish malicious network connections from benign network connections. Moreover, such security services may simply rely on ad-hoc rules based on human intuition rather than correlating malicious network connections with corresponding features. The instant disclosure, therefore, identifies and addresses a need for systems and methods for preventing malicious network connections using correlation-based anomaly detection.